当前位置：网站首页>Wireshark packet capture tool basic use

　　wireshark Is used to obtain network data packets , Can intercept various network packets , Show network packet details , Include http,TCP,UDP, Etc. network protocol package . notes ：wireshark Only packets can be viewed , The contents of the package cannot be modified , Or send packets .

1 Set up local monitoring port

Local open tcp server port 8887; Local open tcp client De link .

2 Select the network interface

Capture the network Select interface Adapter for loopback traffic capture, As shown in the figure below

3 Add filter

Add filter tcp.port ==8887, As shown in the figure below .

Other filters ：

tcp-> Display only TCP Records of agreements ;

　　　　http-> Just look at HTTP Records of agreements ;

　　　　ip.src ==192.168.1.102 -> Show source address as 192.168.1.102 The record of ;

　　　　ip.dst==192.168.1.102 -> The target address is 192.168.1.10 The record of ;

　　　　ip.addr == 42.121.252.58 -> Only the communication with a host is displayed ;

　　　　tcp.port ==80-> Port is 80 Of ;

　　　　tcp.srcport == 80 -> Display only TCP The source port of the protocol is 80 Of ;

　　　　http.request.method=="GET" -> Display only HTTP GET Methodical ;

4 Receive data format

Receive data display , Send receive 123456789 The message is shown in the figure below

ASII Code value display

5 Packet meaning

Packet list （Packet List Pane）

　　 Display in the panel of the package list , Number , Time stamp , source address , Destination address , agreement , length , And package information .

　　 This is the most important information , Used to view each field in the agreement . and OSI The seven layer models are ： The physical layer 、 Data link layer 、 The network layer 、 Transport layer 、 The session layer 、 The presentation layer 、 application layer .

In the packet information , The meaning of each line and in OSI The corresponding relationship in the model is as follows ：

　　Frame: Overview of data frames in physical layer -> Corresponding OSI In the seven layer model 【 The physical layer 】

　　Ethernet II: Data link layer Ethernet frame header information -> Corresponding OSI In the seven layer model 【 Data link layer 】

　　Internet Protocol Version 4: The Internet layer IP Baotou department information -> Corresponding OSI In the seven layer model 【 The network layer 】

　　Transmission Control Protocol: Transport layer T Data segment header information for , Here is TCP -> Corresponding OSI In the seven layer model 【 Transport layer 】

Hypertext Transfer Protocol: Application layer information , Here is HTTP agreement -> Corresponding OSI In the seven layer model 【 application layer 】

5.1 Physical layer data frame Overview

5.2 Data link layer Ethernet frame header information

5.3 The Internet layer ip Baotou department information

5.4 Transport layer tcp Segment header information

6 Combined with packet capture data analysis tcp Three handshake process

6.1 TCP Three processes

First of all, be clear TCP Three processes , As shown in the figure below

TCP The three handshakes are as follows ：

The first handshake ： When establishing a connection , The client sends syn package （syn=j） To the server , And enter SYN SENT state , Wait for server to confirm ;SYN： That is, the synchronization sequence number （Synchronize Sequence Numbers）;

The second handshake ： Server received syn package , Must confirm customer's SYN（ack=j+1）, At the same time, I also send a SYN package （syn=k）, namely SYN+ACK package , At this time, the server enters SYN RECV state ;

The third handshake ： Client receives server's SYN+ACK package , Send confirmation package to server ACK（ack=k+1）, This package has been sent , Client and server access ESTABLISHED（TCP Successful connection ） state , Complete three handshakes .

6.2 tcp Message content

6.3 Data frame type

574 Frames are sent by the client to the server TCP Request to establish a connection . The label is SYN.

619 Frame is the process that the server responds to the confirmation package to the client after receiving the request . The label is SYN,ACK.

620 Frame is the process that the client responds to the server sending confirmation packets , A connection will be established to the server . The label is ACK.

663 Frames are sent by the client to the server HTTP The process of requesting content . The label is GET.

667 Frame is the process that the server responds to the client request , Receive a request . The label is ACK.

674 Frame is the process of the server responding to the client .

6.4 Three handshake data frames

　 First handshake packet , The client sends one TCP, Sign bit is SYN, Serial number for 0, Request connection on behalf of client

（ The first handshake ）

　 Second handshake packet , Server sends back confirmation package , Sign bit is SYN,ACK. Serial number to be confirmed (Acknowledgement Number) Set as customer's ISN（ Initial serial number ） Add 1 With . namely 0+1=1, As shown in the figure below

（ The second handshake ）

　 Packets for the third handshake , Client sends confirmation package again (ACK) SYN Sign bit is 0,ACK Sign bit is 1. And send the server ACK S / N field of +1, Send to the opposite party in the OK field . As shown in the figure below